How can our messaging be surveyed by the state? The European Court of Justice will decide

We hear most often about the surveillance by security services of the U.S. but also European states need to get information about what criminal organisations and terrorists plan and who participate in them. On the other hand the total surveillance state raises justified suspicions, in particular in post-communist countries. Moreover, information does not always come from direct surveillance by the state, government agencies would also like to have access to the most possible data collected and stored by private actors for their own purposes. Although processing of data for prevention and fighting crime does not belong under the general Data Protection Regulation (GDPR), neither under the e-privacy directive, the collection of data by private organisations does.

On Wednesday the 15^th January the opinion of the advocate general of the European Court of Justice (ECoJ) was published in three such cases (joint cases C-511/18 and C-512/18, C-623/17 and C-520/18). A French, a British and a Belgian court requested preliminary judgments to interpret European law on data protection. The topic was already handled before by the Luxembourg institution: I wrote on portfolio.hu (the English version is premium content) about the background and the advocate general’s opinion in the Facebook case. Also, the directive about transferring passenger name records (PNR) was declared invalid by the court, also because on exaggerated intervention into privacy. Two further judgments (TELE2 Sweden and Watson) are considered fundamental in the domain: the Court issued its judgment in December 2016 and declared that

Even for the purpose of fighting crime cannot the general and indiscriminate retention of all traffic and location data of all subscribers and registered users relating to all means of electronic communication be provided for.

Three conditions were formulated: collection has to be restricted solely to fighting serious crime, access should be subject to prior review by a court or an independent administrative authority and the data should be retained within the European Union. In a subsequent case (Ministerio Fiscal, C-207/61), where different SIM-cards were placed in a stolen mobile phone, it was, however, found justified that the authorities should have access to the data of owners of all the SIM cards activated with it.

Although in the current cases we only know the opinion submitted by advocate general Sánches Bordona and the judgment will come later, the three cases are linked and this enabled the expert to examine the issue carefully and the three opinions also referring to each-other. It is commonplace also that the Court very often accepts the opinion, and even when momentarily they are not followed completely, the considerations and principles outlined in them become part of European legal thinking and can influence later cases.

The advocate general formulated a very important principle by saying that: Although terrorism takes into account, when justifying its means, only the (maximal) effectiveness of the attacks against the existing order, the rule of law can only measure effectivity by criteria which do not tolerate, during its defence, the procedures and guarantees which lend the rule of law its legitimacy.

Would a state based on the rule of law subordinate itself without further restrictions to the pure effectivity, it would lose the characteristic which differentiates it and in an extreme case the state itself would become also a menace. Nothing would ensure that, if tools to fight crime would be at the disposal of the public authorities in an extreme degree, by which they could ignore or weaken the fundamental rights, its uncontrolled and completely free application would not harm finally the liberty of everybody.

It has to be noted that the European Court of Justice does not decide directly the cases brought to it in the framework of a reference for preliminary ruling (there are cases which it decides, like those brought against decisions of the Commission or brought by the Commission against member states in infringement cases), only gives guidance on how to interpret European law. This is, however, always done within the limits of the circumstances of the concrete case. Therefore different proposals for judgment were made in the three (actually four as two were joined) cases now being discussed. The considerations leading to these proposals designate together the framework in which further similar cases will probably be judged.

The law to be applied (whether it is the GDPR or the directive about data protection in the area of fight against crime) seems to be a formal question, the legal guarantees are, however, different between the area of general data processing and the area of prevention of and fight against crime (precisely: prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties). This latter is not even regulated by a European regulation, but by a directive

 which gives a wider liberty to member states to formulate their own rules (of course within the limits set by the directive). Evidently, the GDPR also contains restrictions to the rights of the data subjects taking into account the needs of fight against crime, national security and similar purposes. The preconditions of restricting these rights are nevertheless stricter. In spite of this, the handling of data of air passengers (PNR) was deemed illegitimate even based on the directive on data protection in fight against crime. The difference is – according to the opinion of the advocate general – that there the data were directly processed by agencies of the state while here the authorities wanted to access data collected by private organisations for private (commercial) purposes.

The opinion reinforces on one hand the conditions already established in the Tele2 and Watson cases but emphasizes that even in the situation which is characterised by a grave and persistent threat to national security, it is not justified to oblige the providers to retain all data in general and without differentiation. This is the same whether these data are accessed in real time or during their subsequent storage. “It has to be prescribed that the pre-defined models and aspects concerning the processing of data have to be concrete, reliable and devoid of discrimination in a way to enable the identification of persons who can reasonably be suspected to participate in acts of terrorism.”

The advocate general explicitly adds another one to these requirements:

the obligation to inform the data subjects about the fact that the relevant authorities process their data, unless this information would endanger the procedures of these authorities.

This information obligation has to be fulfilled when it does not endanger any more the investigation in progress.

All this is in conformity with Article 23 of the GDPR, which restricts the rights of data subjects. The opinion extends, by the way, quite logically, the concept of preventing and fighting crime to national security, territorial defence, public security, the prevention of illegal use of electronic communication devices and any other purposes prescribed in the GDPR (probably, although this is not explicitly mentioned in the opinion, in the abovementioned Article 23 of it).

It is interesting that only one case turns around a concrete processing of data, in the others the plaintiffs demand the annulation of the laws regulating the surveillance. In Belgium the law now under challenge was voted exactly after the annulation of its predecessor by the Constitutional Court following the PNR case while in France it is the law of internal security.

The European Court not only does not decide the individual legal case (as mentioned above) but also tasks the national court which deals with the case itself to decide whether the requirements the ECoJ formulates are fulfilled in the concrete case. In these cases it also leaves to the national court to ascertain whether the laws in question limit the intrusion to the cases whose gravity renders the access indispensable and whether the conditions posed above are complied with.

Beyond that, it allows also to retain the legal effect of the law – even when it is annulled – if this is justified by the fight against threats to national or public security. The effect can, however, be only maintained for the period absolutely necessary to remedy the established incompatibility with Union law.

It is finally worth mentioning that the case law of European Court of Human Rights is also taken into account in legal proceedings concerning fundamental rights. The latest publication of the Strasbourg-based court on surveillance was issued in September 2019. The practice of this body is limited to judge the procedures of state actors and it raises objections only if fundamental rights are infringed and is thus sometimes more permissive than the European Court of Justice. It allowed for example mass collection of data, if the appropriate safeguards were provided. The advocate general tries also to reconcile this contradiction by prescribing appropriate conditions and requirements in the cases in question. Thus, we will know a lot from the final judgments of the Court about when, how and why state actors can monitor us and what will be the guarantees of our rights.

The Hungarian version of this article appeared on portfolio.hu